在训练运行中使用机密Use secrets in training runs

适用于:是基本版是企业版               (升级到企业版APPLIES TO: yesBasic edition yesEnterprise edition                    (Upgrade to Enterprise edition)

本文介绍如何在训练运行中安全使用机密。In this article, you learn how to use secrets in training runs securely. 身份验证信息(例如用户名和密码)是机密。Authentication information such as your user name and password are secrets. 例如,如果连接到外部数据库来查询训练数据,则需要将用户名和密码传递到远程运行上下文。For example, if you connect to an external database in order to query training data, you would need to pass your username and password to the remote run context. 将此类值编码为明文中的训练脚本是不安全的,因为该过程会暴露机密。Coding such values into training scripts in cleartext is insecure as it would expose the secret.

相反,你的 Azure 机器学习工作区有一个称为 Azure Key Vault 的关联资源。Instead, your Azure Machine Learning workspace has an associated resource called a Azure Key Vault. 使用此密钥保管库,可通过 Azure 机器学习 Python SDK 中的一组 API 安全将机密传递给远程运行。Use this Key Vault to pass secrets to remote runs securely through a set of APIs in the Azure Machine Learning Python SDK.

使用机密的基本流程是:The basic flow for using secrets is:

  1. 在本地计算机上,登录到 Azure 并连接到你的工作区。On local computer, log in to Azure and connect to your Workspace.
  2. 在本地计算机上,在“工作区密钥保管库”中设置机密。On local computer, set a secret in Workspace Key Vault.
  3. 提交远程运行。Submit a remote run.
  4. 在远程运行中,从密钥保管库获取机密并使用它。Within the remote run, get the secret from Key Vault and use it.

设置机密Set secrets

在 Azure 机器学习中,Keyvault 类包含用于设置机密的方法。In the Azure Machine Learning, the Keyvault class contains methods for setting secrets. 在本地 Python 会话中,首先获取对工作区密钥保管库的引用,然后使用 set_secret() 方法通过名称和值来设置机密。In your local Python session, first obtain a reference to your workspace Key Vault, and then use the set_secret() method to set a secret by name and value. 如果名称已存在,set_secret 方法会更新该密钥值。The set_secret method updates the secret value if the name already exists.

from azureml.core import Workspace
from azureml.core import Keyvault
import os

ws = Workspace.from_config()
my_secret = os.environ.get("MY_SECRET")
keyvault = ws.get_default_keyvault()
keyvault.set_secret(name="mysecret", value = my_secret)

不要将机密值放在 Python 代码中,因为将其以明文形式存储在文件中不安全。Do not put the secret value in your Python code as it is insecure to store it in file as cleartext. 应从环境变量中获取机密值(例如 Azure DevOps 生成机密)或从交互式用户输入中获取机密值。Instead, obtain the secret value from an environment variable, for example Azure DevOps build secret, or from interactive user input.

你可以使用 list_secrets() 方法列出机密名称,此方法还有一个批处理版本 set_secrets(),允许你一次设置多个机密。You can list secret names using the list_secrets() method and there is also a batch version,set_secrets() that allows you to set multiple secrets at a time.

获取机密Get secrets

在本地代码中,可以使用 get_secret() 方法通过名称来获取机密值。In your local code, you can use theget_secret() method to get the secret value by name.

对于提交了 Experiment.submit 的运行,请将 get_secret() 方法与 Run 类结合使用。For runs submitted the Experiment.submit , use the get_secret() method with the Run class. 由于提交的运行知晓其工作区,因此此方法会绕过工作区实例化,直接返回密钥值。Because a submitted run is aware of its workspace, this method shortcuts the Workspace instantiation and returns the secret value directly.

# Code in submitted run
from azureml.core import Experiment, Run

run = Run.get_context()
secret_value = run.get_secret(name="mysecret")

请注意不要将机密值写出或打印出来而导致机密值暴露。Be careful not to expose the secret value by writing or printing it out.

还有一个批处理版本 get_secrets(),用于同时访问多个机密。There is also a batch version, get_secrets() for accessing multiple secrets at once.

后续步骤Next steps